npm - ebay-mcp-remote-edition - Versions diffs - 2.0.16 → 3.1.1 - Mend

ebay-mcp-remote-edition 2.0.16 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +330 -490
package/build/auth/kv-store.js +68 -2
package/build/auth/multi-user-store.js +39 -6
package/build/config/environment.js +34 -8
package/build/scripts/auto-setup.js +0 -3
package/build/scripts/interactive-setup.js +11 -8
package/build/scripts/run-with-local-env.js +50 -0
package/build/scripts/setup.js +13 -10
package/build/server-http.js +340 -313
package/build/utils/oauth-helper.js +264 -162
package/package.json +21 -14

package/README.md CHANGED Viewed

@@ -1,9 +1,10 @@
-# eBay MCP (Remote Edition)
+# eBay MCP — Remote Edition
 <div align="center">
-A [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server providing AI assistants with comprehensive access to eBay's Sell APIs. Includes **325+ tools** for inventory management, order fulfillment, marketing campaigns, analytics, developer tools, and more.
+A [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server providing AI assistants with comprehensive access to eBay's Sell APIs. **325+ tools** covering inventory management, order fulfillment, marketing campaigns, analytics, developer tools, and more.
-**API Coverage:** 100% (270+ unique eBay API endpoints)
+**API Coverage:** 100% of eBay Sell APIs (270+ unique endpoints)
 [![npm version](https://img.shields.io/npm/v/ebay-mcp-remote-edition.svg)](https://www.npmjs.com/package/ebay-mcp-remote-edition)
 [![Socket Badge](https://socket.dev/api/badge/npm/package/ebay-mcp-remote-edition)](https://socket.dev/npm/package/ebay-mcp-remote-edition)
@@ -11,138 +12,110 @@ A [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server providi
 </div>
-----
-## Fork differences
+---
-This fork of [Yosef Hayim's eBay MCP](https://github.com/YosefHayim/ebay-mcp) preserves the original local/STDIO workflow up to v1.7.5, while expanding and focusing on adding hosted multi-user support for both ephemeral and persistant remote server instances. For all intents and purposes, any changes made to the original project from that version on is completely independent of any changes made here, and may be considered a wholly separate project.
+## Overview
-### Added in this fork
+This project extends [Yosef Hayim's eBay MCP](https://github.com/YosefHayim/ebay-mcp) with a full hosted, multi-user deployment mode while keeping the original local STDIO mode intact. The key additions are:
-- Hosted Streamable HTTP MCP deployment mode for remote server deployment
-- Multi-user server-side eBay OAuth for both production and sandbox
-- Cloudflare KV-backed storage for:
-  - OAuth state
-  - user token records
-  - session records
-- Session-token based MCP auth:
-  - `Authorization: Bearer <session-token>`
-- Render Secret File support for environment-specific credentials
-- Admin session inspection/revocation endpoints
-- `GET /whoami` endpoint for session-bound identity lookup
-- Optional `OAUTH_START_KEY` protection for `/oauth/start`
-- **MCP OAuth 2.1 authorization server** — Cline and other MCP clients that support OAuth discovery (`/.well-known/oauth-authorization-server`, `POST /register`, `GET /authorize`, `POST /token`) can authenticate fully automatically via browser eBay OAuth with no manual token pasting
+- **Hosted Streamable HTTP mode** — deploy to Render (or any Node.js host) and serve multiple users from one instance
+- **MCP OAuth 2.1 authorization server** — full browser-based eBay login with automatic token management; Cline and other OAuth-aware clients connect with zero manual token pasting
+- **Environment-scoped route trees** — `/sandbox/mcp` and `/production/mcp` hard-bind their eBay environment; no query param needed
+- **Cloudflare KV / Upstash Redis** token and session storage for persistent multi-user auth
+- **Admin session management** — inspect, revoke, or delete sessions via authenticated endpoints
+- **TTL-aligned records** — every stored record (OAuth state, auth code, session, user token) carries an `expiresAt` timestamp and a matching KV/Redis TTL so storage and application expiry are always in sync
 ---
-## One-Click AI Setup
-> **Let your AI assistant set this up for you!** Copy the prompt below and paste it into Claude, ChatGPT, or any AI assistant with MCP support.
+## ⚠️ Disclaimer
-<details>
-<summary><strong>Click to copy the AI setup prompt</strong></summary>
+This is an open-source project provided "as is" without warranty of any kind. The authors accept **no responsibility or liability** for any damages arising from use of this software. This project is **not affiliated with, endorsed by, or sponsored by eBay Inc.** Test thoroughly in eBay's sandbox before using in production.
-```text
-I want to set up the eBay MCP Server for my AI assistant. Please help me:
+---
-1. Install the eBay MCP server:
-git clone https://github.com/mrnajiboy/ebay-mcp-remote-edition.git
-cd ebay-mcp-remote-edition
-pnpm install
-pnpm run build
+## Table of Contents
-2. I need to configure it for [Claude Desktop / Cursor / Cline / Zed / Continue.dev / Windsurf / Claude Code CLI / Amazon Q] (choose one)
+- [Choose a runtime mode](#choose-a-runtime-mode)
+- [Prerequisites](#prerequisites)
+- [Local mode setup](#local-mode-setup)
+  - [Install](#install)
+  - [Configure credentials](#configure-credentials)
+  - [Run the setup wizard](#run-the-setup-wizard)
+  - [Local client configuration](#local-client-configuration)
+- [Hosted mode setup](#hosted-mode-setup)
+  - [Environment variables](#hosted-environment-variables)
+  - [Secret file](#secret-file)
+  - [Deploy to Render](#deploy-to-render)
+  - [OAuth flows](#oauth-flows)
+  - [MCP endpoints](#mcp-endpoints)
+  - [Remote client configuration](#remote-client-configuration)
+- [Available tools](#available-tools)
+- [Development](#development)
+- [Testing & validation](#testing--validation)
+- [Troubleshooting](#troubleshooting)
+- [Resources](#resources)
-3. My eBay credentials are:
-   - Client ID: [YOUR_CLIENT_ID]
-   - Client Secret: [YOUR_CLIENT_SECRET]
-   - Environment: [sandbox / production]
-   - Redirect URI (RuName): [YOUR_REDIRECT_URI]
+---
-Please:
-- Create the appropriate config file for my MCP client
-- Set up the environment variables
-- Help me complete the OAuth flow to get a refresh token for higher rate limits
-- Test that the connection works
+## Choose a runtime mode
-If I don't have eBay credentials yet, guide me through creating a developer account at https://developer.ebay.com/
-```
+| Mode | Transport | Best for |
+|------|-----------|----------|
+| **Local STDIO** | stdin/stdout | Single-user local AI client (Claude Desktop, Cline, Cursor, etc.) |
+| **Hosted HTTP** | Streamable HTTP | Multi-user server deployment; remote MCP clients |
-</details>
+Both modes use the same eBay tools. The local mode reads credentials from environment variables or a `.env` file. The hosted mode handles multi-user OAuth server-side and authenticates clients with session tokens.
 ---
-## ⚠️ Disclaimer
-**IMPORTANT: Please read this disclaimer carefully before using this software.**
+## Prerequisites
-This is an **open-source project** provided "as is" without warranty of any kind, either express or implied. By using this software, you acknowledge and agree to the following:
+**All modes:**
+- Node.js ≥ 18.0.0
+- [pnpm](https://pnpm.io/) (or npm — `npm install -g pnpm`)
+- An [eBay Developer Account](https://developer.ebay.com/)
-- **No Liability:** The authors, contributors, and maintainers of this project accept **NO responsibility or liability** for any damages, losses, or issues that may arise from using this software.
-- **eBay API Usage:** This project is an unofficial third-party implementation and is **NOT affiliated with, endorsed by, or sponsored by eBay Inc.**
-- **Use at Your Own Risk:** Test thoroughly in eBay's sandbox before production use.
-- **Security:** You are responsible for securing API credentials, session tokens, and hosted endpoints.
+**Getting eBay credentials:**
+1. Log in to the [eBay Developer Portal](https://developer.ebay.com/my/keys)
+2. Create an application and copy your **App ID (Client ID)** and **Cert ID (Client Secret)**
+3. Under **User Tokens → Add RuName**, register your OAuth callback URL and copy the generated **RuName** string
-For official eBay API support, please refer to the [eBay Developer Program](https://developer.ebay.com/).
+> **`EBAY_RUNAME` is the RuName string eBay generates, not the callback URL itself.** It looks like `YourApp-YourApp-SBX-abcdefghi`. The callback URL is set separately (see below).
----
+### HTTPS callback URL (required by eBay)
-## Table of Contents
+eBay requires an HTTPS callback URL for OAuth. For local development, use [mkcert](https://github.com/FiloSottile/mkcert):
-- [Fork additions in this deployment-focused version](#fork-additions-in-this-deployment-focused-version)
-- [⚠️ Disclaimer](#️-disclaimer)
-- [Features](#features)
-- [Quick Start](#quick-start)
-  - [Local MCP Client Configuration](#local-mcp-client-configuration)
-- [Hosted Render Deployment](#hosted-render-deployment)
-  - [Hosted MCP Client Configuration](#hosted-mcp-client-configuration)
-- [Configuration](#configuration)
-- [Available Tools](#available-tools)
-- [Development](#development)
-- [Logging](#logging)
-- [Troubleshooting](#troubleshooting)
-- [Resources](#resources)
-- [License](#license)
+```bash
+brew install mkcert nss
+mkcert -install
+mkcert ebay-local.test
+echo "127.0.0.1  ebay-local.test" | sudo tee -a /etc/hosts
+```
-## Features
+Register `https://ebay-local.test:3000/oauth/callback` in the eBay Developer Portal as your Accept URL. Then add to `.env`:
-- **325+ eBay API Tools** - 100% coverage of eBay Sell APIs across inventory, orders, marketing, analytics, developer tools, and more
-- **9 AI Clients Supported** - Auto-configuration for Claude Desktop, Cursor, Zed, Cline, Continue.dev, Windsurf, Roo Code, Claude Code CLI, and Amazon Q
-- **OAuth 2.0 Support** - Full user token management with automatic refresh
-- **Type Safety** - Built with TypeScript, Zod validation, and OpenAPI-generated types
-- **MCP Integration** - STDIO transport for local integration and HTTP transport for hosted deployment
-- **Smart Authentication** - Automatic fallback from user tokens to client credentials where applicable
-- **Hosted Multi-User Mode** - Server-side OAuth + session-token auth for hosted MCP access
-- **Well Tested** - Comprehensive typecheck/build/deploy validation
-- **Interactive Setup Wizard** - Run `pnpm run setup` for guided local configuration
-- **Developer Analytics** - Rate limit monitoring and signing key management
+```bash
+PUBLIC_BASE_URL=https://ebay-local.test:3000
+EBAY_LOCAL_TLS_CERT_PATH=/path/to/ebay-local.test.pem
+EBAY_LOCAL_TLS_KEY_PATH=/path/to/ebay-local.test-key.pem
+```
-## Quick Start
+For hosted deployments, register your server's public HTTPS URL instead (e.g. `https://your-server.com/oauth/callback`).
-### 1. Get eBay Credentials
+---
-1. Create a free [eBay Developer Account](https://developer.ebay.com/)
-2. Generate application keys in the [Developer Portal](https://developer.ebay.com/my/keys)
-3. Save your **Client ID** and **Client Secret**
-4. Configure environment-specific RuNames for production and sandbox as needed
+## Local mode setup
-### 2. Install
+### Install
-**Option A — npm (easiest, no build step required):**
+**Option A — npm global install (no build step):**
 ```bash
 npm install -g ebay-mcp-remote-edition
-# or
-pnpm add -g ebay-mcp-remote-edition
-```
-Then run the setup wizard:
-```bash
-ebay-mcp-remote-edition --setup
 ```
-**Option B — clone and build (for contributors or if you want to self-host the HTTP server):**
+**Option B — clone and build (for contributors or self-hosting):**
 ```bash
 git clone https://github.com/mrnajiboy/ebay-mcp-remote-edition.git
@@ -151,83 +124,48 @@ pnpm install
 pnpm run build
 ```
-### 3. Run Local Setup Wizard
+### Configure credentials
-For local/STDIO usage after cloning:
+Create a `.env` file in the project root (see `.env.example`):
 ```bash
-pnpm run setup
-```
-### 4. Hosted Mode
-For hosted Render usage, see the next section.
----
-## Local MCP Client Configuration
-Two ways to configure your MCP client for local (STDIO) usage:
-- **Option A — `npx` (no clone needed):** Use `npx -y ebay-mcp-remote-edition` as the command. npm downloads and runs the latest published version automatically.
-- **Option B — local build:** Clone the repo, run `pnpm run build` and `pnpm run setup`, then point at `/absolute/path/to/ebay-mcp-remote-edition/build/index.js`.
+EBAY_CLIENT_ID=your_client_id
+EBAY_CLIENT_SECRET=your_client_secret
+EBAY_RUNAME=your_runame_string
+EBAY_ENVIRONMENT=sandbox           # or production
+EBAY_MARKETPLACE_ID=EBAY_US        # optional, defaults to EBAY_US
+EBAY_CONTENT_LANGUAGE=en-US        # optional, defaults to en-US
-The configs below show both. Supply your eBay credentials either as `env` fields in the config or via a `.env` file in the working directory.
+# Populated by the setup wizard:
+EBAY_USER_REFRESH_TOKEN=
+```
-> **Getting your credentials:** Run `pnpm run setup` in the cloned repo — it completes the OAuth flow and writes `EBAY_USER_REFRESH_TOKEN` to `.env`.
+**Authentication tiers:**
-### Cline
+| Method | Rate limit | How |
+|--------|-----------|-----|
+| Client credentials (default) | 1,000 req/day | Just set `EBAY_CLIENT_ID` + `EBAY_CLIENT_SECRET` |
+| User tokens (recommended) | 10,000–50,000 req/day | Run the setup wizard to complete OAuth and populate `EBAY_USER_REFRESH_TOKEN` |
-Config file location:
-`~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json`
+### Run the setup wizard
-**Using npx (no clone needed):**
+The interactive wizard guides you through environment selection, credential entry, OAuth login, and MCP client configuration:
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "command": "npx",
-      "args": ["-y", "ebay-mcp-remote-edition"],
-      "env": {
-        "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
-        "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-        "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
-        "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
-      }
-    }
-  }
-}
+```bash
+pnpm run setup
 ```
-**Using local build:**
+Options:
+- `--quick` — skip optional steps
+- `--diagnose` — run connectivity and token checks only
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "command": "node",
-      "args": ["/absolute/path/to/ebay-mcp-remote-edition/build/index.js"],
-      "env": {
-        "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
-        "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-        "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
-        "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
-      }
-    }
-  }
-}
-```
+After completing OAuth, the wizard writes `EBAY_USER_REFRESH_TOKEN` to `.env` and optionally configures Claude Desktop automatically.
-### Claude Desktop
+### Local client configuration
-Config file location:
-- **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
-- **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
+For direct STDIO usage, configure your MCP client to launch the server as a subprocess. All clients use the same JSON pattern:
-**Using npx:**
+**Using npm (no clone needed):**
 ```json
 {
@@ -239,7 +177,7 @@ Config file location:
         "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
         "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
         "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
+        "EBAY_RUNAME": "YOUR_RUNAME",
         "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
       }
     }
@@ -247,7 +185,7 @@ Config file location:
 }
 ```
-**Using local build:**
+**Using a local build:**
 ```json
 {
@@ -259,7 +197,7 @@ Config file location:
         "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
         "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
         "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
+        "EBAY_RUNAME": "YOUR_RUNAME",
         "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
       }
     }
@@ -267,119 +205,68 @@ Config file location:
 }
 ```
-### Cursor
+**Config file locations by client:**
-Global config: `~/.cursor/mcp.json`
-Project config: `.cursor/mcp.json` (in your project root)
+| Client | Config file |
+|--------|-------------|
+| Cline | `~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json` |
+| Claude Desktop (macOS) | `~/Library/Application Support/Claude/claude_desktop_config.json` |
+| Claude Desktop (Windows) | `%APPDATA%\Claude\claude_desktop_config.json` |
+| Cursor (global) | `~/.cursor/mcp.json` |
+| Cursor (project) | `.cursor/mcp.json` |
-**Using npx:**
+Zed, Windsurf, Continue.dev, Roo Code, and Amazon Q follow the same `mcpServers` JSON shape.
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "command": "npx",
-      "args": ["-y", "ebay-mcp-remote-edition"],
-      "env": {
-        "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
-        "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-        "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
-        "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
-      }
-    }
-  }
-}
-```
-**Using local build:**
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "command": "node",
-      "args": ["/absolute/path/to/ebay-mcp-remote-edition/build/index.js"],
-      "env": {
-        "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
-        "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-        "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
-        "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
-      }
-    }
-  }
-}
-```
+---
-### Other STDIO clients (Zed, Windsurf, Continue.dev, Roo Code, Amazon Q)
+## Hosted mode setup
-All STDIO-based clients use the same pattern. Use `npx -y ebay-mcp-remote-edition` for zero-install, or point `command` at `node` with `build/index.js` for a local build.
+The hosted HTTP server exposes environment-scoped MCP and OAuth endpoints, handles eBay OAuth server-side, and issues session tokens to MCP clients.
-**Using npx:**
+### Hosted environment variables
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "command": "npx",
-      "args": ["-y", "ebay-mcp-remote-edition"],
-      "env": {
-        "EBAY_CLIENT_ID": "YOUR_CLIENT_ID",
-        "EBAY_CLIENT_SECRET": "YOUR_CLIENT_SECRET",
-        "EBAY_ENVIRONMENT": "sandbox",
-        "EBAY_REDIRECT_URI": "YOUR_RUNAME",
-        "EBAY_USER_REFRESH_TOKEN": "YOUR_REFRESH_TOKEN"
-      }
-    }
-  }
-}
-```
+```bash
+# Server
+PORT=3000
+MCP_HOST=0.0.0.0
+PUBLIC_BASE_URL=https://your-server.com
----
+# eBay credentials (prefer secret file below instead of raw env)
+EBAY_DEFAULT_ENVIRONMENT=production    # sandbox or production
-## Hosted Render Deployment
+# Persistent token/session storage backend (required for multi-user hosted mode)
+EBAY_TOKEN_STORE_BACKEND=cloudflare-kv # cloudflare-kv | upstash-redis | memory
-### Build command
+# Cloudflare KV (when EBAY_TOKEN_STORE_BACKEND=cloudflare-kv)
+CLOUDFLARE_ACCOUNT_ID=
+CLOUDFLARE_KV_NAMESPACE_ID=
+CLOUDFLARE_API_TOKEN=
-```bash
-pnpm install && pnpm run build
-```
+# Upstash Redis (when EBAY_TOKEN_STORE_BACKEND=upstash-redis)
+UPSTASH_REDIS_REST_URL=
+UPSTASH_REDIS_REST_TOKEN=
-### Start command
+# Security
+ADMIN_API_KEY=              # required for admin session endpoints
+OAUTH_START_KEY=            # optional; protects /oauth/start with a shared secret
-```bash
-pnpm run start:http
-```
+# Session TTL (optional; default 30 days)
+SESSION_TTL_SECONDS=2592000
-### Recommended Render environment variables
+# Logging
+EBAY_LOG_LEVEL=info
+EBAY_MARKETPLACE_ID=EBAY_US
+EBAY_CONTENT_LANGUAGE=en-US
-```bash
-PORT=
-NODE_VERSION=
-PUBLIC_BASE_URL=https://your-server.com
+# Path to secret file (see below)
 EBAY_CONFIG_FILE=/etc/secrets/ebay-config.json
-EBAY_DEFAULT_ENVIRONMENT=sandbox|production
-EBAY_TOKEN_STORE_BACKEND=cloudflare-kv
-CLOUDFLARE_ACCOUNT_ID=ID
-CLOUDFLARE_KV_NAMESPACE_ID=ID
-CLOUDFLARE_API_TOKEN=your-cloudflare-api-token
-ADMIN_API_KEY=your-admin-api-key
-OAUTH_START_KEY=optional-shared-secret-for-oauth-start
-EBAY_MARKETPLACE_ID=EBAY_COUNTRY
-EBAY_CONTENT_LANGUAGE=lang-COUNTRY
-EBAY_LOG_LEVEL=info
 ```
-### Render secret file
+> Use `EBAY_TOKEN_STORE_BACKEND=memory` only for local development or tests. All OAuth state, session tokens, and user tokens are lost on restart.
-Filename:
+### Secret file
-```text
-ebay-config.json
-```
-Example contents:
+Store eBay credentials in a mounted secret file rather than raw environment variables. On Render, create a **Secret File** named `ebay-config.json` mounted at `/etc/secrets/ebay-config.json`:
 ```json
 {
@@ -396,160 +283,141 @@ Example contents:
 }
 ```
-Render mounts it at:
+### Deploy to Render
-```text
-/etc/secrets/ebay-config.json
-```
+1. Connect your repo to Render as a **Web Service**
+2. Set **Build command:**
+   ```bash
+   pnpm install && pnpm run build
+   ```
+3. Set **Start command:**
+   ```bash
+   pnpm run start:http
+   ```
+4. Add the environment variables listed above
+5. Add the `ebay-config.json` secret file
-### OAuth flows
+The server starts on the port Render assigns via `$PORT` and logs the active KV backend on startup.
-Start production OAuth:
+### OAuth flows
-```text
-/oauth/start?env=production
-```
+eBay requires a single registered callback URL per application. The hosted server registers `/oauth/callback` at the root and recovers the environment from the stored OAuth state record.
-Start sandbox OAuth:
+**Start an OAuth flow (browser):**
-```text
-/oauth/start?env=sandbox
 ```
-If `OAUTH_START_KEY` is configured, include either:
-```text
-/oauth/start?env=production&key=YOUR_OAUTH_START_KEY
+GET /sandbox/oauth/start         # always sandbox
+GET /production/oauth/start      # always production
 ```
-or send:
-```text
-X-OAuth-Start-Key: YOUR_OAUTH_START_KEY
+If `OAUTH_START_KEY` is set, include it as a query parameter or header:
 ```
-### Hosted session token usage
-After successful callback, the app issues a session token and displays it in a copy-friendly callback page.
-Use it in your MCP client:
-```text
-Authorization: Bearer <session-token>
+GET /sandbox/oauth/start?key=YOUR_OAUTH_START_KEY
+# or header:  X-OAuth-Start-Key: YOUR_OAUTH_START_KEY
 ```
-For Make/Zapier/TypingMind anywhere where Remote MCP is accepted, the practical supported flow is:
+After a successful login, the callback page displays your **session token**, **eBay access token**, and **eBay refresh token** with one-click copy buttons.
-1. complete browser OAuth via the hosted server
-2. copy the returned session token from the callback page
-3. paste it into the platform's API Key / Access token field
+**Session token TTL schedule:**
-Normal MCP usage should not open a browser window once a valid hosted session token already exists.
+| Record | `expiresAt` field | Backend TTL |
+|--------|-------------------|-------------|
+| OAuth state | 15 minutes | 15 minutes |
+| MCP auth code | 10 minutes | 10 minutes |
+| Session | 30 days (configurable) | Matches `SESSION_TTL_SECONDS` |
+| User token record | eBay refresh token expiry (fallback: 18 months) | Matches token expiry |
-### Admin endpoints
+### MCP endpoints
-Require:
+**Environment-scoped (recommended):**
-```text
-X-Admin-API-Key: <ADMIN_API_KEY>
 ```
-Endpoints:
-- `GET /admin/session/:sessionToken`
-- `POST /admin/session/:sessionToken/revoke`
-- `DELETE /admin/session/:sessionToken`
-### Session introspection
-```text
-GET /whoami
-Authorization: Bearer <session-token>
+POST/GET/DELETE /sandbox/mcp
+POST/GET/DELETE /production/mcp
 ```
-### MCP endpoint
-```text
-POST /mcp
-GET /mcp
-DELETE /mcp
+Each scoped path includes its own OAuth 2.1 discovery document:
+```
+GET /sandbox/.well-known/oauth-authorization-server
+GET /production/.well-known/oauth-authorization-server
 ```
-#### Initial auth behavior
-- `GET /mcp` without a valid Bearer token redirects into browser OAuth
-- default environment is production
-- sandbox can be requested with `?env=sandbox`
-- `POST /mcp` without a valid Bearer token returns an auth-required JSON response
-This means browser-driven onboarding works cleanly, while protocol clients can still receive a structured auth response.
-### Privacy recommendations
+**Legacy auto-detect (backward-compatible):**
+```
+POST/GET/DELETE /mcp        # resolves environment from ?env= or EBAY_DEFAULT_ENVIRONMENT
+```
-If you want the service URL to be less exposed:
+**Authentication behavior:**
+- `GET /mcp` (or scoped variant) without a valid Bearer token redirects the browser to the matching `oauth/start` URL
+- `POST /mcp` without a valid Bearer token returns a structured `401` JSON with an `authorization_url` field
+- All requests supply a session token via `Authorization: Bearer <session-token>`
-- protect `/oauth/start` with `OAUTH_START_KEY`
-- protect `/admin/*` with `ADMIN_API_KEY`
-- keep `/oauth/callback` reachable by eBay
-- optionally place `/`, `/oauth/start`, and `/admin/*` behind Cloudflare Access
-- keep `/health` available if needed by Render health checks
+**Other utility endpoints:**
----
+```
+GET  /health                           # Server health check (no auth required)
+GET  /whoami                           # Session identity; requires Bearer token
+GET  /admin/session/:sessionToken      # View session; requires X-Admin-API-Key
+POST /admin/session/:sessionToken/revoke  # Revoke session
+DELETE /admin/session/:sessionToken    # Delete session
+```
-## Hosted MCP Client Configuration
+`/whoami` response:
+```json
+{
+  "userId": "...",
+  "environment": "sandbox",
+  "createdAt": "2026-03-23T08:00:00.000Z",
+  "expiresAt": "2026-04-22T08:00:00.000Z",
+  "lastUsedAt": "2026-03-23T09:30:00.000Z",
+  "revokedAt": null
+}
+```
-The hosted server implements a full **MCP OAuth 2.1 authorization server** (RFC 8414 / RFC 7591 / RFC 6749 + PKCE). MCP clients that support OAuth discovery — such as Cline — will handle the full browser-based eBay login flow automatically with no manual token pasting required.
+### Remote client configuration
 Replace `https://your-server.com` with your actual `PUBLIC_BASE_URL`.
-### Cline (recommended — full OAuth auto-discovery)
+#### Cline (automatic OAuth — no manual token needed)
-Cline supports OAuth 2.1 discovery natively. Just point it at the MCP endpoint and it handles everything:
+Cline supports MCP OAuth 2.1 discovery natively. It fetches the discovery document, registers itself, opens the eBay browser login, exchanges the auth code for a session token, and stores it — all automatically.
 ```json
 {
   "mcpServers": {
-    "ebay": {
-      "url": "https://your-server.com/mcp"
+    "ebay-sandbox": {
+      "url": "https://your-server.com/sandbox/mcp"
+    },
+    "ebay-production": {
+      "url": "https://your-server.com/production/mcp"
     }
   }
 }
 ```
-**What happens automatically:**
-1. Cline fetches `/.well-known/oauth-authorization-server` to discover the auth server.
-2. It registers itself at `POST /register` (Dynamic Client Registration).
-3. Your browser opens `GET /authorize`, which redirects to eBay's login page.
-4. After you grant access, eBay redirects to `/oauth/callback`, which issues an MCP auth code and sends it back to Cline.
-5. Cline exchanges the code at `POST /token` for a session token and stores it.
-6. All subsequent `/mcp` requests are authenticated automatically.
+What Cline does automatically:
+1. Fetches `/.well-known/oauth-authorization-server` for the scoped path
+2. Registers at `POST /sandbox/register` (or `/production/register`)
+3. Your browser opens `GET /sandbox/authorize`, which redirects to eBay login
+4. After you grant access, eBay redirects to `/oauth/callback`, which issues an auth code
+5. Cline exchanges the code at `POST /sandbox/token` for a session token and stores it
+6. All subsequent `/sandbox/mcp` requests authenticate automatically
-> **`OAUTH_START_KEY` note:** If your server has `OAUTH_START_KEY` set, the `/authorize` endpoint also requires it. You can temporarily disable it for first-time client setup, or consult your server operator for the key.
+#### Claude Desktop and Cursor (Bearer token)
-### Claude Desktop (HTTP remote with pre-obtained session token)
+Claude Desktop and most other remote MCP clients require a pre-obtained session token. Complete the browser OAuth flow first:
-Claude Desktop's remote MCP support requires an explicit `Authorization` header. Complete the browser OAuth flow at `https://your-server.com/oauth/start` first to get your session token, then configure:
+1. Open `https://your-server.com/sandbox/oauth/start` (or `/production/oauth/start`) in a browser
+2. Log in with your eBay account
+3. Copy the session token from the confirmation page
-```json
-{
-  "mcpServers": {
-    "ebay": {
-      "url": "https://your-server.com/mcp",
-      "headers": {
-        "Authorization": "Bearer YOUR_SESSION_TOKEN"
-      }
-    }
-  }
-}
-```
-### Cursor (HTTP remote with pre-obtained session token)
+Then configure your client:
 ```json
 {
   "mcpServers": {
-    "ebay": {
-      "url": "https://your-server.com/mcp",
+    "ebay-sandbox": {
+      "url": "https://your-server.com/sandbox/mcp",
       "headers": {
         "Authorization": "Bearer YOUR_SESSION_TOKEN"
       }
@@ -558,197 +426,169 @@ Claude Desktop's remote MCP support requires an explicit `Authorization` header.
 }
 ```
-### Make / Zapier / TypingMind and similar platforms
+#### Make / Zapier / TypingMind and similar platforms
-These platforms use a fixed token field. To connect:
-1. Open `https://your-server.com/oauth/start?env=production` in a browser.
-2. Complete the eBay login flow.
-3. Copy the session token from the confirmation page.
-4. Paste it as your **API Key / Bearer token** in the platform's MCP connector settings.
-5. Set the MCP endpoint URL to `https://your-server.com/mcp`.
+1. Open `https://your-server.com/sandbox/oauth/start` in a browser and complete eBay login
+2. Copy the session token from the confirmation page
+3. Paste it as the **API Key / Bearer token** in the platform's MCP connector settings
+4. Set the MCP endpoint URL to `https://your-server.com/sandbox/mcp`
 ---
-## Configuration
-### Environment Variables
-Local mode still supports the classic environment-variable model:
-```bash
-EBAY_CLIENT_ID=your_client_id
-EBAY_CLIENT_SECRET=your_client_secret
-EBAY_ENVIRONMENT=sandbox|production
-EBAY_REDIRECT_URI=your_runame
-EBAY_MARKETPLACE_ID=EBAY_COUNTRY
-EBAY_CONTENT_LANGUAGE=lang_COUNTRY
-EBAY_USER_REFRESH_TOKEN=your_refresh_token
-```
-### OAuth Authentication
-**Client Credentials:** lower-rate, application-level access.
-**User Tokens:** higher-rate access for seller/member-specific operations.
-For hosted mode, OAuth is handled server-side by the Render deployment.
+## Available tools
-## Available Tools
-The server provides **325+ tools** across:
+325+ tools across all eBay Sell API categories:
 - Account Management
 - Inventory Management
 - Order Fulfillment
 - Marketing & Promotions
-- Analytics
-- Communication
+- Analytics & Reporting
+- Communication (messages, feedback, notifications, negotiation)
 - Metadata & Taxonomy
-- Developer Tools
-- Token / Auth-related helper tools
+- Developer Tools (key management, analytics)
+- Auth / Token helper tools
+Full tool source: [`src/tools/definitions/`](src/tools/definitions/)
-For the complete tool list, see [src/tools/definitions/](src/tools/definitions/).
+---
 ## Development
-### Prerequisites
+### Commands reference
+| Command | Description |
+|---------|-------------|
+| `pnpm run build` | Compile TypeScript to JavaScript |
+| `pnpm start` | Run local STDIO MCP server |
+| `pnpm run start:http` | Run hosted HTTP MCP server |
+| `pnpm run dev` | Local STDIO server with hot reload |
+| `pnpm run dev:http` | Hosted HTTP server with hot reload |
+| `pnpm test` | Run test suite |
+| `pnpm run setup` | Interactive local setup wizard |
+| `pnpm run sync` | Download latest eBay OpenAPI specs and regenerate types |
+| `pnpm run diagnose` | Check configuration and connectivity |
+| `pnpm run typecheck` | Run TypeScript type checking |
+| `pnpm run check` | Typecheck + lint + format check |
+| `pnpm run fix` | Auto-fix lint and format issues |
-- Node.js >= 24.0.0
-- [pnpm](https://pnpm.io/) (`npm install -g pnpm`)
-- eBay Developer Account
+### `pnpm run sync`
-### Quick Start for Contributors
+Downloads the latest eBay OpenAPI specs, regenerates TypeScript types, and reports implemented vs missing endpoints. Run this when you want to pick up new eBay API surface:
 ```bash
-git clone https://github.com/mrnajiboy/ebay-mcp-remote-edition.git
-cd ebay-mcp-remote-edition
-pnpm install
-pnpm run build
+pnpm run sync
 pnpm run typecheck
-pnpm test
+pnpm run build
 ```
-### Commands Reference
-| Command                  | Description                                        |
-| ------------------------ | -------------------------------------------------- |
-| `pnpm run build`         | Compile TypeScript to JavaScript                   |
-| `pnpm start`             | Run local STDIO MCP server                         |
-| `pnpm run start:http`    | Run hosted HTTP MCP server                         |
-| `pnpm run dev`           | Run local server with hot reload                   |
-| `pnpm run dev:http`      | Run hosted HTTP server with hot reload             |
-| `pnpm test`              | Run test suite                                     |
-| `pnpm run setup`         | Interactive setup wizard                           |
-| `pnpm run sync`          | Sync specs, generate types, find missing endpoints |
-| `pnpm run diagnose`      | Check configuration and connectivity               |
-| `pnpm run check`         | Run typecheck + lint + format check                |
-| `pnpm run fix`           | Auto-fix lint and format issues                    |
+Review the diff, commit the generated changes you want to keep, and deploy.
-### About `pnpm run sync`
+### Local env management
-This command is a spec/type regeneration workflow. It is **not** an upstream git sync.
-It will:
-1. Download latest OpenAPI specs from eBay
-2. Generate TypeScript types from specs
-3. Analyze implemented vs missing endpoints
-4. Produce a sync report
-Run it intentionally when you want to refresh generated artifacts.
-### Manual sync workflow
-This fork treats sync as a repo-side maintenance workflow, not a live server feature.
-Recommended manual flow:
+For local development, standard runtime scripts automatically load `.env` via dotenvx. Hosted platforms should provide environment variables directly — the server detects hosted environments (e.g. `RENDER=true`) and skips local file loading.
 ```bash
-pnpm install
-pnpm run sync
-pnpm run typecheck
-pnpm run build
+pnpm run env:encrypt   # encrypt .env for safe sharing
+pnpm run env:decrypt   # decrypt
 ```
-Then review the diff, commit the generated changes you want to keep, and deploy from Git.
+### Logging
-## Dependency policy
+```bash
+EBAY_LOG_LEVEL=debug             # error | warn | info | debug
+EBAY_ENABLE_FILE_LOGGING=true    # write logs to files
+```
-This fork uses normal semver-compatible dependency ranges so fresh installs can pick up newer compatible versions automatically. The MCP SDK dependency has been bumped to a newer range so patched transitive dependencies can be resolved during install rather than requiring users to perform a manual update after cloning.
+---
-After dependency changes, validate with:
+## Testing & validation
 ```bash
-pnpm run typecheck
+# Build and type check
 pnpm run build
-```
+pnpm run typecheck
-## Logging
+# Run the test suite
+pnpm test
-The server includes Winston-based logging for easier debugging.
+# Check connectivity and token status
+pnpm run diagnose
-### Log Levels
+# Verify hosted server health
+curl https://your-server.com/health
-```bash
-EBAY_LOG_LEVEL=debug
-```
+# Verify a session token
+curl -H "Authorization: Bearer <session-token>" https://your-server.com/whoami
-### File Logging
-```bash
-EBAY_ENABLE_FILE_LOGGING=true
+# Test MCP endpoint returns auth challenge when no token is provided
+curl -X POST https://your-server.com/sandbox/mcp \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
+# → should return 401 with authorization_url
 ```
+---
 ## Troubleshooting
 ### Hosted MCP returns 406
-If your MCP test client gets `406 Not Acceptable`, include:
-```text
+Include the correct `Accept` header in your MCP client:
+```
 Accept: application/json, text/event-stream
 ```
-### OAuth browser flow
+### OAuth callback: "Invalid or expired OAuth state"
-In hosted mode, browser OAuth is needed for:
+OAuth state records expire in 15 minutes. If you see this error, restart the browser OAuth flow.
-- first-time account connection
-- re-authorization after token expiry/revocation
+### Token verification fails on existing refresh token
-For Make and TypingMind, the server currently expects users to complete browser OAuth first and then paste the issued session token into the platform's token field. The server then takes over token refresh and ongoing eBay access.
+Refresh tokens expire after ~18 months or can be revoked by eBay (password changes, etc.). Run the setup wizard again to obtain a new one:
+```bash
+pnpm run setup
+```
-Normal MCP usage should rely on the issued session token.
+In hosted mode, start a new browser OAuth flow at `/sandbox/oauth/start` or `/production/oauth/start`.
-### Security reminders
+### Session token no longer works in hosted mode
-- Do not paste session tokens publicly
-- Revoke any exposed session tokens with the admin endpoint
-- Rotate exposed eBay client secrets and update your Render secret file
+Check whether the session was revoked or expired:
+```bash
+curl -H "Authorization: Bearer <token>" https://your-server.com/whoami
+```
-## Cloudflare Access recommendation
+Revoke exposed session tokens via the admin endpoint:
+```bash
+curl -X POST https://your-server.com/admin/session/<token>/revoke \
+  -H "X-Admin-API-Key: YOUR_ADMIN_API_KEY"
+```
-If you want browser/admin surfaces to be private to only you:
+### Security checklist
-- protect `/`
-- protect `/oauth/start`
-- protect `/admin/*`
-- keep `/oauth/callback` reachable by eBay
-- keep `/mcp` outside Cloudflare Access unless your MCP client is verified to work through Cloudflare Access
-- keep `/health` reachable if Render uses it for health checks
+- Do not commit `.env` or session tokens to version control
+- Protect `/oauth/start` and `/admin/*` with `OAUTH_START_KEY` and `ADMIN_API_KEY`
+- Keep `/oauth/callback` publicly reachable (eBay redirects to it after login)
+- Keep `/health` reachable if Render uses it for health checks
+- For production-grade isolation, optionally place `/`, `/oauth/start`, and `/admin/*` behind Cloudflare Access
+- Rotate exposed eBay client secrets and update your secret file
-This is the recommended way to make the hosted URL effectively private without breaking OAuth callback or MCP compatibility.
+---
 ## Resources
 - [eBay Developer Portal](https://developer.ebay.com/)
 - [MCP Documentation](https://modelcontextprotocol.io/)
-- [OAuth Setup Guide](docs/auth/)
+- [Auth Configuration Guide](docs/auth/CONFIGURATION.md)
+- [OAuth Quick Reference](docs/auth/OAUTH_QUICK_REFERENCE.md)
+- [API Status](docs/API_STATUS.md)
+- [Changelog](CHANGELOG.md)
 - [Contributing Guidelines](CONTRIBUTING.md)
 - [Security Policy](SECURITY.md)
-- [Changelog](CHANGELOG.md)
+---
 ## License
-This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+MIT — see [LICENSE](LICENSE)